(The Watchdog use neighbor nodes to overhear and detect malicious node. Watchdog depends on overhearing the packets whether be discarded deliberately to identify the malicious node), in addition BDSR causes less overhead than watchdog. But if there are many cooperative black holes, in this case BDSR can not deal with them.
C. Detection by broadcasting the bluff probe packet (S-ZRP)
 Suppose, L1, L2, L3, ………., Ln-1 are the nodes between the source L0 and the destination Ln (we are considering Ln as black hole node). The algorithm works as-To detect black hole node, Origin L0 sends bluff RREQ packet which contains the address of the nonexistent node, to the nearest guard node L2. It will check its table for entry of nonexistent node. If it is not in its table it will propagate this RREQ message to the intermediate nodes till Ln-1 node. Previous Next Hop Ln-1 delivers this RREQ message to the destination Ln. The destination black hole node replies and says that I have a shortest route for nonexistent node. The Ln node sends this RREP packet back to the nodes in the discovered route. Origin L0 Node Receive RREP(NE)Ln-1,……………2,1 packet and send BLOCK (Ln, NE)IERP/BRP packet to Ln-1 node. This node deletes entry for Ln node. Now originator node or guard node broadcast this information to all the nodes.
Advantages and disadvantages
S-ZRP is an efficient solution to detect the multiple black hole nodes and to stop their attack, the simulation shows how the approach prevents the black hole nodes from receiving and relaying the packets. But S-ZRP starts the detection process from the source, this strategy will negatively affect MANET performance. In addition, the simulation must show how S-ZRP may affect important performance metrics such as network overhead and time delay. V. A PROPOSED SOLUTION: A local Intrusion Detection by Bluff Probe Packet (LIDBPP) The paper aims to propose a method based on bluff packet to detect and stop the black hole attack in AODV based MANET, this method can deal with multiple black holes attack and will start the detection process by sending a bluff packet that includes a specific virtual destination address, an intermediate node (the previous node from the black hole) will send bluff packet and will take the decision with nonintervention from the source node as follow: -
If the RREQ includes a normal address and the node has a route to the destination it will send RREP. -
If the RREQ includes a normal address and the node has not a route to the destination it will forward RREQ to the next nodes. -
if the RREQ includes the specific virtual address then it is a bluff packet and it must be forwarded, if any node sends this packet and then receives RREP from the next node, it must send block packet because this node is a black hole node. -
As in figure 4 since a black hole node sends RREP regardless of the address of RREQ, then it will response to bluff packet, so it will be blocked from the previous node.
Figure 4. A proposed solution
After blocking the black hole, the previous node will repeat sending bluff packet to the node that locates next the blocked node and the process will be repeated until blocking all the black hole nodes as in figure 5, there are no need in this process to back to the source node, every intermediate node is responsible to block all black hole nodes that locate next. -
Each bluff packet generated from the source will clean the network, because bluff packet is moved from a node to a next node as a serial process.
Figure 5. A proposed solution
By starting from the previous node, there is no need to return to the source node, so the detection and blocking process will be occurred with minimal number of packets and in short time, so network overhead and time delay will be minimized, but in S-ZRP  we can see that the detection process needs more steps and messages in order to detect and block the black hole node, especially if the distance between the source and black hole node is long, this will negatively affect the network performance such as increasing network overhead and time delay.
The algorithm of LIDBPP is as follow:
L0: source node, L1,2…..n….n+1: intermediate nodes, RREQn: RREQ with normal destination address, RREQs: RREQ with specific and virtual destination address. Stage1: Source node L0 Generate RREQ Propagate RREQ If RREQn Then Precede normal AODV algorithm Stage2: Else if RREQs && Ln send RREP to Ln-1 Then Stage3: Ln-1 send block Ln Ln receive block
(IJCSIS) International Journal of Computer Science and Information Security, Vol. 11, No. 11, November 201368http://sites.google.com/site/ijcsis/ ISSN 1947-5500